CRITICAL🇵🇱 Wersja polska

CVE-2024-56525

CVSS 9.8v3.1pub. 2025-02-24upd. 2026-04-15

In Public Knowledge Project (PKP) OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create a new role as super admin in the journal context, and insert a backdoor plugin, by uploading a crafted XML document as a User XML Plugin.

🤖 AI Analysis
How it works

An attacker with the Journal Editor role uploads a crafted XML document through the User XML Plugin function. The document contains malicious external entities (XXE) that are processed by the application without proper validation. By exploiting this vulnerability, the attacker can create a new role with super administrator privileges in the journal context and inject a malicious plugin acting as a backdoor.

Impact

An attacker can obtain full administrative privileges in the system and install a backdoor plugin, enabling persistent, unauthorized access to the platform, data theft, and further system compromise.

Mitigation & patch

Update PKP OJS, OMP, or OPS platforms to version 3.3.0.21 or later (for the 3.3.x branch) or to version 3.4.0.8 or later (for the 3.4.x branch). Until updating, it is recommended to restrict access to the User XML Plugin functionality and monitor the activity of users with the Journal Editor role.

Who is affected

Public Knowledge Project (PKP) OJS, OMP, and OPS in versions before 3.3.0.21 and in the 3.4.x branch before version 3.4.0.8

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XXE
CWE
References